NetworkRecon: PowerShell to Identify Network Vulnerabilities!

Posted: 2 years ago by @pentestit3662 viewsUpdated: July 20, 2017 at 11:50 am

As PowerShell becomes more prevalent in the Windows environment, so will it’s use for vulnerability assessment and penetration tests. I have covered a few of them earlier such as PowerSploit, PSAttack. However none of the ones I mentioned help you detect network vulnerabilities. That is set to change with NetworkRecon, a script that helps you find anomalies in observable network protocols.

What is NetworkRecon?

NetworkRecon is an open source PowerShell network reconnaissance module which will capture, analyze, and identify commonly misconfigured protocols to help you perform analysis of network protocols for vulnerabilities, that are visible to Windows client systems. Analyzing a small amount of network traffic can lead to the discovery of possible network-based attack vectors such as Virtual Router Redundancy Protocol (VRRP), Dynamic Trunking Protocol (DTP), Link Local Multicast Name Resolution (LL-MNR) and PXE boot attacks. Additionally, you do not have to install third-party software as PowerShell includes several network analysis and network traffic related capabilities. It is modeled after the PowerShell Empire PowerUp script to provide easy identification of the targeted protocols.

Generally, VLAN trunking, network routing and network redundancy protocols should not be relayed to Windows clients. Misconfigurations of Dynamic Host Configuration Protocol (DHCP), also presents an attacker options such as analyzing a boot image for credentials and other sensitive information. NetworkRecon currently helps you analyze these protocols for network anomalies:

Name Resolution protocols: Protocols such as NetBIOS Name Service (NBT-NS), Link Local Multicast Name Resolution (LLMNR) and Multicast DNS (mDNS) provide an opportunity for an attacker to execute several different attacks by manipulating the hostname to IP address relationship. An attacker can send malicious responses to a user’s requests or to become a Man-in-the-Middle (MitM) in the network conversation.

Routing and Redundancy Protocols: Routing information from protocols such as Hot Standby Routing Protocol (HSRP), Virtual Router Redundancy Protocol (VRRP) and Open Shortest Path First (OSPF) can expose the network to route manipulation attacks. If routing traffic is present on an access port, an attacker can parse this information to determine whether authentication is being used to capture credentials, allowing the attacker to inject malicious routing information.

Now, on to the modules that the script provides us with. The modules included in this script are Invoke-NeighborCacheAnalysis, Invoke-TraceCollect, and Invoke-LiveAnalysis. Their functionality is mentioned below:

Invoke-NeighborCacheAnalysis: Looks for the presence of Layer 2 multicast addresses of potentially vulnerable protocols in the system ARP cache.

Invoke-TraceCollect: Performs a time-limited network trace leveraging the Microsoft-Windows-NDIS-PacketCapture provider in either .etl or .cap format depending on supported operating system features.

Featured Post

Kali Linux 2019.1 is the latest Kali Linux release. This is the first 2019 release, which comes after Kali Linux 2018.4, that was made available in the month of October. This new release includes all patches, fixes, updates, and improvements since the last release – Kali Linux 2018.3, including a shiny new Linux kernel versionRead more about UPDATE: Kali Linux 2019.1 Release!